14. What is Web application Abuse?
Shopping Cart
Manipulation
1
2
3
4
5
6
Social Engineering
Confidence Scams
Points Systems
Defacement
of Site
Transfer
of Funds
Data Theft
15. Definition
Manipulating your site (and its trust)
in an attempt to commit fraud,
vandalize your brand,
and compromise your users’ privacy.
29. Phase 1
Silent Introspection
Footprint: Low
Method: Run a debugger, surf the site,
collect data, analyze offline
Info Sought: What Web server? Database?
Network hardware and software?
Programming languages and libraries?
30.
31. Phase 2
Attack Vector Establishment
Footprint: Higher
Techniques:
1. Cloak yourself
2. For all dynamic URLs, test inputs for
errors or blind injection to find vulnerabilities
3. For each vulnerability, start structuring your
input to shape the error into an attack
32.
33. Phase 3
Implementation
Footprint: Highest
Attack Defined: Now that you know the
vector(s), what can you do with them?
• Extract/edit/delete DB records or tables?
• Infect site with a worm that distributes
malware?
• Launch a complex phishing scam?
34.
35. Phase 4
Automation
Footprint: Low
Attack Successful: If the attack makes money,
you want to do it discretely again and again
• Write an attack program script
• Buy a pre-fab “Command and Control” kit and
raise your own BotNet to attack from
36. Phase 5
Maintenance
Footprint: Low
Attack Successful: Let the money roll in, go do
something else
Successful automated abuse can exist
undetected in maintenance mode for years
If a patch disrupts the abuse, oh well. Either
refine the vector again, or go hunting
elsewhere
37. Vulnerability Management
Web Application
Firewall
Phase 1
Silent
Introspection
Phase 2
Attack Vector
Establishment
Phase 3
Attack
Implementation
Phase 4
Attack
Automation
Phase 5
Maintenance
What can you do?
Mykonos Security Appliance
38.
39. Web Application Intrusion Detection & Prevention
The Mykonos Security Appliance.
Identify and track
attempts to introspect
your sites/apps
1 Gain intelligence about
behavior & threat level
of bad actors
2 Instantly neutralize
threats
3
40. A New Innovative Approach
App
Server
Client
Code Honey-pots
Network
Perimeter
Database Firewall
Traps
Triggers
Welcome to this Webinar brought to you by Mykonos Software.
Today’s presentation titled “How Web Applications are Attacked” looks at “Understanding and Responding to the Five Phases of Web Application Abuse”.
My name is Edward Roberts and I’ll be the moderator for this event.
For those of you who are new to Mykonos Software, we are helping companies understand how Web applications are abused by criminal attackers to steal data, commit fraud or even use company bandwidth for un-intended tasks.
The Mykonos Security Appliance detects malicious abuse of web applications before the damage is done. This software solution profiles the abuse through intelligence gathering and responds to any abuse in real-time ultimately preventing data theft, fraudulent behavior and misuse of your Web properties.
You are in listen only mode.
We encourage you to ask questions. We will have time to answer them at the conclusion of the presentation. Please use the panel to submit your questions
You can view the slides and watch the webinar again on our website with the next 2-3 days.
Al Huizenga Director of Product Management Al has 11 years experience managing, releasing, and marketing Web-based products and technologies in companies such as Cognos Inc., Platform Computing, and Panorama Software.
Kyle Adams Chief Architect: Has final responsibility for code quality and technical excellence. He is a graduate of the Rochester Institute of Technology, earning a Degree in Computer Science with a minor in Criminal Justice. He wrote his first password protection software at age 10, started hacking incessantly, and was writting his own encryption software by age 14. An AJAX expert and enthusiast, Kyle has worked on scores of web application projects.
Today’s presentation has three goals
I want you to think differently about security.
I will offer a unique way to think about security by understanding the behavior of an attacker rather than concentrating on packets of data.
Secondly I today you will see how hackers attack a website with real-life techniques that will frighten you in their simplicity.
And thirdly we want you to help remove Grandma’s frustration because the web is frightening enough to her without having to overcome abuse that she can’t even understand.
You do not have any visibility into the traffic?
Do you know what is normal use?
Do you know what is abusive use?
Do you know who is introspecting your site?
Isn’t it time to understand the behavior of all users on your site rather than just monitoring data packets?
For too long applications are passive waiting for a malicious user to attack. The future Web security is creating smart self-defensive applications.
It’s time to understand and respond to your web attackers.
But in order to do those two things first you must be able to identify them before they attack your web application.
What is our background with Web application abuse?
Mykonos Software was incubated within Bluetie. One of the first online email and collaboration SaaS providers since 1999. With over 2million users, Bluetie sees its fair share of malicious users.
What kind of abuse occurred?
Bluetie would see abuse where fake accounts are created. The Web application would be used as a spam engine.
Attackers would change the web application code and write a script against it to use the resources of Bluetie rather than go for stealing data.
It’s a nuisance and wastes company bandwidth and resources and slows down the product to real legitimate users.
What is Web application Abuse?
On the right here we have the ultimate fear which is data theft of credit cards, financial data, SS#’s.
But web application abuse can be many different things.
Shopping cart manipulation – If you can change the number of items in a cart and not pay for it, it can be very lucrative, and to the company it looks like normal use.
Social engineering confidence scams – the recent twitter attack.
Points sytems – If you can change the points used you can improve scores in games, change airmiles, change student grades.
Defacement of Site – More of an embarrassment and a nuisance but getting the site defaced creates problems for real users who worry about the safety of going to your site.
Transfer of funds from one account to another – anytime money is accessible on-line there is the opportunity for some abuse.
Data Theft – Credit cards, SS#, personal data, financial data, healthcare data.
What does Web application abuse look like?
As we just stated it can take many forms. Let’s take you through some examples….
Grandma has been saving up for a flat screen TV.
She sees that an online electronics store is going to have a great sale on a particular model on Black Friday.
She waits until the minute the sale starts, and goes online to make the purchase. Sadly, younger, more tech savvy shoppers have figured out how to reserve all of the flat screen TVs in inventory by automating the application shopping cart.
Grandma is out of luck – even though she jumped in right away to make the purchase, it looks like the store is out of TVs, and she feels ripped off.
Grandma decides to go online and see Christmas pictures from her family around the US.
When she gets into the site, she sees a message from her daughter, and clicks it.
Oddly, instead of showing family pictures, the message automatically redirects her to a pornography site.
Grandma is shocked, upset, and vows never to go to that social networking site again.
Also, she doesn’t know it, but that porn site downloaded a virus to her laptop. Grandma has been compromised.
The shock took it’s toll on Grandma’s heart, and she goes to her pharmacy’s Web site to get her heart medication prescription refilled.
She has an account on the site that contains her Medicare information, including social security number, address, and her CC information too.
What she doesn’t know is that the pharmacy Web site has been compromised, and criminals regularly and discretely pull all of that PII from the database, and sell it on the black market.
Grandma is a prime candidate for identity theft.
Why does Web application abuse happen?
It’s a factor of where security is today.
The impact of the web application revolution is that 70% of all threats are now at the web layer
According to Gartner
The focus has been on the network.
93 % of security spending is at the network layer.
The network has been well secured and the techniques used were effective.
Then came web apps and we blew open port 80. We put applications on the web and many companies put the entire business on the web.
And this is open to 2 billion users with a browser to use or abuse.
In almost half of companies (41%), less than 2% of developer headcount is focused on security.
What does that mean to you? WASC states that the average web application has 12 vulnerabilities. Multiply that by how many web applications your organization has and you’ll see how many options an abusive user has.
What are the common characteristics of a Web attack?
Based on a deep understanding of application behavior
Hard to filter out effectively over time
Often automated or distributed
Not a one-time incident (it just gets reported that way)
The actual attack vector that works needs to be established first
The abuse needs to be tested and automated
It has it’s own dev lifecycle
Examples: Twitter
Vulnerability management and filtering help…but have their limits
Code scanning pre or post compile is hard because who is going to go back and patch all the vulnerabilities that are found. Many are in third party apps, Most companies are not going to re-write all their internal apps.
It’s hard to pre-guess all possible vulnerabilities and vectors
It’s hard to filter intelligently and dynamically enough
New solutions are attempting to hook into the application context, use it to understand abusive behavior, and respond adaptively
The Mykonos Security Appliance works during the first two phases of the attack.
It does three things to help you catch an attacker before the damage is done.
1 Identify and track attempts to introspect your sites/apps.
2. Gain intelligence about behavior & threat level of bad actors
3. Instantly neutralize threats.
We have an innovative approach.
We work as a reverse proxy.
We insert detection points into the code as it is delivered to the browser.
If an abusive user plays with one of the detection points we deliver a token onto the hackers machine so that we can re-identify them if they return.
And maybe we wouldn’t annoy our grandma’s if we all went a little more pro-active on our defense of Web application abuse.